How does it work?

The malware is installed in apps that can be downloaded from third-party app stores. Once downloaded, the malware activates only after the infected device is restarted.

When a device is restarted, CopyCat starts to root the device in order to gain admin privileges. It does so through a group of exploits downloaded from the Amazon S3 bucket.

After the device has been rooted, the malware starts to install a component in the system’s directory which makes it impossible for the malware to be removed.

Finally, the malware reaches for Zygote, which is Android’s core process for downloading and installing apps. Once Zygote is infected, CopyCat gets admin rights and subsequently installs fake apps on the infected device.

The attacker gets revenue for replacing a genuine app’s referrer’s ID with a fake one. Moreover, the admin rights allow the attacker to generate revenue through having the malware post fake ads and install fraudulent apps.

CopyCat’s command-and-control (C&C) server

Researchers at Checkpoint also investigated the malware’s C&C server to get more insight as to how the malware works. Upon investigation, it was revealed that the data found on the server dates back to 2016 and earlier.

In fact, around 3.8 million devices were infected last year between the months of April and May while 4.4 million devices were infiltrated to install fake apps on Google Play and thereby generate revenue for the attacker.

Also, the researchers stated the malware exploited vulnerabilities which were quite common, some of which have been in digital space since 203. Also, the reason they were able to access users’ devices was probably that users did not upgrade their systems.

Who is responsible for the attack?

There is no evidence leading to any particular culprit but experts believe that an ad network based in China might be behind the scene.

Google’s response

When asked, Google said that it was aware of the malware and believed it was a variant of a larger malware family. It stated that an update is released to patch the vulnerable devices whenever a related malware is discovered.

However, a researcher from Check Point stated that the malware demonstrated some very different techniques which show that CopyCat does not belong to any malware family.

Nevertheless, it does have similarities with other malware types, particularly HummingBad and Gooligan. The former broke into 1 million Google accounts last year while the latter, like CopyCat, was part of an ad fraud campaign.

PlayProtect

Google referred to PlayProtect, which is the company’s malware detecting software. PlayProtect scans all the apps installed on a user’s phone and checks if an infection is present.

Add your comments:

is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in Milan, Italy